I have to admit, it took me a while to understand the voice over IP trend (think Skype, Vonage, or iChat AV for that matter), mainly because it has never actually worked for me. Turns out, that was all my fault.

Constant disconnections have always been frequent. I could rarely sustain a conversation over 5 or 10 minutes, whether it was computer to computer, or computer to phone. I often wondered how anyone could make a case for using VOIP on a frequent basis, and assumed the grass was somehow greener.

My current setup sees my cable modem piping into a wireless router, which I’ve used variably as a wireless or wired hub. I bought it before I was thoroughly versed in the world of Apple so it’s not an Airport, it’s made by SMC. Which means manual configuration.

Now, I’m a bit of a networking geek; I can tell you the difference between NAT and a MAC address, when you’d use DHCP or manually configure an IP, and I can even explain the difference between the TCP part and the IP part.

So, I assumed I had set everything up to work properly (and low bandwidth applications like email and the web worked fine) and it was just my local service provider having issues, or my wireless B-generation router just wasn’t capable of the speeds needed to carry voice and video. Streaming video has always been a problem too, seemingly lending support to my theory. For years I’ve thought this.

A few things came together that pointed to a solution. 1) I bought an iMac that has a built-in iSight. 2) after SXSW Cindy Li hosted Veerle and Geert in Washington. 3) a stroke of inspiration led to 60” TV iSight chats that kept crapping out on us. That’s when Cindy mentioned that iChat AV had a few specific ports that she had to open manually on her router. Hmm.

A bit more research, a bit of plowing through iChat error logs, and it quickly became clear that it was my router’s NAT (Network Address Translation) that was causing the problem. After a few minutes of any chat, the expected delivery address shifted and the connection dropped. Whether I was plugged in with an ethernet cable, or connecting over the wireless, I had the same problem.

I’m going to gloss over a bunch of configuration here, and skip why manually overriding ports doesn’t work very well when your systems use DHCP. But I will say that in theory NAT seems nice and secure, as any computers within a network appear to come from one single IP address: the router’s. So, for the most part, any hacking from the outside could only ever get as far as the router, leaving the computers within the LAN safe enough.

Point being, it’s hard to think about turning that off since it’s clearly a good thing. So I never tried. But after a bit of time on the phone with the local Apple retailer, I decided to bypass the router completely and plug the iMac directly into my cable modem.

And like that, the problem went away. I managed to maintain constant connections over a series of calls yesterday totaling almost two hours of talk time. So the problem was most definitely NAT-induced, and after eliminating that as a factor, I can now do remarkably clear and reliable VOIP sessions.

Now the question is, do I simply turn off NAT, or buy an Airport/Airport Express and expect it to deal with all this gracefully and securely? That’s what I’m not quite sure about yet. Anyone?

Why don’t you open the ports and statically set your IP on the machines in question? Seems a whole safer. Of course, I don’t know how robust/secure Mac firewalls are… so there may not be too much danger in hanging your mac right off the modem.

I’m also confused as to why the delivery address would shift. The NAT should keep a table of every outgoing connection’s original source and destination address and match it to the incoming, and you’d think it would have an ARP table as well. And your machine most definitely shouldn’t be getting a new DHCP address assigned very often.

If I am reading correctly, your problem may be solved with port fowarding (and not having to disable NAT). My linksys router which is almost 2 years old has this capability, and I would assume yous does as well (most likely in some “advanced” settings area).

The idea here is that you tell your router to make a dedicated connection between your computer and the outside wall for a given port. So if iChat uses ports 21345 and 12030 (totally making those up, btw), then you would tell your router to send any traffic over those ports to your specific machine.

This is often necessary for other apps as well (file sharing apps are the first that come to mind).

We have an Airport at the office and at home, and it seems to handle the NAT issues just fine. I have an XBOX 360 at home as well, and I’ve heard that it can easily succumb to NAT as well, more-or-less like VOIP. Butt I’ve got it connected wirelessly to the Airport, and the Airport connected to the modem. And all’s happy. No drops. No lag. No tears.

Not being well versed in Macs, this may stand correction, but TCP/IP is universal, so the real problem to me sounds like a problem with the routers implementation of NAT.

If you could, I would suggest configuring a static IP on your machine(s) and dropping DHCP all together. I would then keep the NAT and open the respective ports on the router. I would also check for a firmware upgrade for your router.

I currently use the same type of setup on my office network consisting of 1 Windows machine(static internal IP), 2 Linux servers (test web, file/fax respectively - both static internal IPs) and one Windows Laptop(DHCP). It goes without saying I have many ports opened for the test server to be accesible to the outside world.

It also may bear mentioning that I am using a old WRT54G Linksys router (1st Generation). Your SMC should be somewhat similar (I would hope anyway)

“Why don’t you open the ports and statically set your IP on the machines in question?”

Mainly cause I need about 25 ports for iChat, manually configuring even one is more work than it should be in the UI on this router, and I like DHCP.

“So there may not be too much danger in hanging your mac right off the modem.”

Maybe, but I’m not exactly comfortable with this regardless. Hence the question about an Airport – I’m assuming, going along with Apple’s It Just Works philosophy, I’d get the best of both worlds. But I don’t know.

“I’m also confused as to why the delivery address would shift.”

Likewise. I didn’t care enough to figure out exactly WHAT was going on here, just observed the symptoms.

“I think there’s a simple solution _somewhere_.”

Seems like I’ve found it. Plug in directly. Just not exactly a wise long-term strategy.

Just to clarify, port forwarding is what I glossed over, though I didn’t really try and pin it down to a static IP. I just assumed my DHCP-assigned address wasn’t changing that often and tried that.

The problem with that is that this router has a horrible UI, and limits the amount of forwarding I can do anyway. So, Airport Airport Airport. Just looking for someone to confirm that I get the port forwarding without opening up a security hole.

You can use DHCP with a static IP address, this is one of the options available in the networking preference pane. I would recommend you do this.

As others have said, you can forward all the ports required by iChat to the ports on your computer. This is something you need to do in your router.

Alternatively, you could just leave your computer outside of the routers firewall by marking your static IP as being in the routers DMZ (de-militarized zone – seriously). This would be handy if you have other computers on your network you want to keep protected, but aren’t concerned about your particular box.

Apple’s Airports are just routers. I don’t see why they would behave any better than any other router. Your Mac comes with a built-in software firewall. You could use this instead of the routers NAT firewall. (You can add rules through the command line, or through the sharing preference pane.)

You should definately get an Airport… the express is cheap and you get the added coolness of AirTunes. In my appartment the only cable outlet was in the living room and my computer is in the second bedroom so now I can play music in the living room! Airport is the was to go.

Right. But remember that Apple also has a big stake in ensuring I can use their software, so I’m assuming an Airport is much more aware of the specific port needs of a Mac environment. It Just Works and all that.

But, I might be way off, and that’s what I’m hoping someone can confirm/deny for me.

Initially we had a problem with Skype not showing us as online when we were, but this has improved. We have a Linksys router with NAT turned on, no port forwarding, and use Skype(Out) on 2 Macs (one connected to the router via Ethernet, one via WiFi) with reasonably reliable performance. We use the Cyberphone K from VoIPVoice:

I haven’t heard anything about the AirPort doing that kind of magic. The only technology I know of that does that is UPnP, which is a Microsoft technology (I believe) and is arguably a security hazard. It would probably have a better interface for port forwarding, however.

It’s almost a design flaw that you can’t do port forwarding based on MAC address in .many routers. I use DHCP with port forwarding and if you’re computer is almost always on (e.g. desktop) or you have just one then it’s not a problem, but if you have a couple laptops I’d imagine it would be heck.

Airport express really isnt solving the problem. Rather purchase a better router. Linksys are very popular and thus a lot of support out there. There is a great site that only a geek could love

linsysinfo.org

Also you the sveasoft.com custom firmware is awesome. So get a new router and then do port forwarding (not port mapping) and all should be good. I did this with Vonage and have never had an issue. Also the sveasoft.com forums do a search on configuring for VOIP.

Port triggering is basically for games, and will say something like, “when a computer inside the network tries to connect to port XYZ on a remote machine, port ABC will be forwarded from the firewall to the machine that made the connection”

that makes it so that you can have a dynamic ip address inside the network and port forwarding turned on only when you need it.

I don’t know anything about iChat or Macs in general, but I know that Skype here is perfectly happy without any special ports opened, just using NAT, even from DHCP-assigned varying addresses. (But then, these addresses effectively never change.) If you need a guaranteed fixed address but still want DHCP, you should be able to configure the DHCP server to reserve an IP address for a specific MAC - that’s what I do here in order to expose some services (NFS shares) only to my desktop computer and forward game ports.

Port forwarding can obviously result in security problems: the firewall no longer blocks the port, instead it is forwarded to the inner computer. If the inner computer can be attacked through that port (usually because a faulty application listens to it), then you have a security hole.
Of course, every other service that’s exposed to the internet has exactly the same security problem. Even a browser that incorrectly handles HTTP resonses has this problem, and no firewall can possibly protect it.

I haven’t got an airport, so I’m not going to be able to add much to the discussion in that respect.

But I just thought I’d mention that there are some problems with UDP in a NAT environment - and lots of interactive applications (including VOIP) use UDP to avoid lag (it’s not error-checked: the packets just keep on flowing). VOIP providers often have a STUN server (Simple Traversal of UDP over NAT) to enable UDP use behind NAT firewall - http://en.wikipedia.org/wiki/STUN has some good information.

That said, I may be way off-base here, because I’d have thought that either it would work, or it wouldn’t…

A good router will do ‘port triggering’ as described above: for a short period after an outbound UDP packet is sent from a port, the return path will be kept open automatically.

A bad router will allow the UDP packet to be sent, but not open the return path, so information never comes back.

The address changes are usually a result of discovery (possibly STUN, possibly something else) failing or misreporting in some way. I don’t know the specifics of iChat AV’s protocols, but it’s possible that it adapts the streams depending upon discovered external factors. If it misdetects those factors, then everything could easily go belly-up as you describe.

Part of the STUN process is the ability for a machine behind a NAT to discover its external IP address; presumably this part of the process (or iChat AV’s equivalent, if it doesn’t use STUN itself) is failing and the Mac can only use its own internal IP.

Solution: find a friend with an AirPort you can borrow (they can back up and restore their configuration using the AirPort Admin Utility) and see if it cures your woes.

This blogger tries to figure out how iChat AV is traversing NATs:http://tim.geekheim.de/2003/06/25/troubleshooting-ichat-av/
and mentions the NAT Check program:http://midcom-p2p.sourceforge.net
saying:
> The program detects if your router is suited to peer-to-peer
> communication or not. For my setup it reports:
>RESULTS:
> Address translation: NAPT (Network Address and Port Translation)
> Consistent translation: YES (GOOD for peer-to-peer)
> Unsolicited messages filtered: YES (GOOD for security)
> The important point seems to be to have NAPT
> and consistent translation. Routers that had
> a NO on consistent translation were not
> able to communicate with me so far.

Finally, here is a post about someone using an “old Cayman DSL router to do NAT and its NAT implementation didn’t support the UPnP NAT Traversal gook which iChat requires to make the connections for AV chatting”:http://slacker.com/~nugget/projects/aebx/

This is a pretty low-tech solution, but I had a similar problem a while back running everything through my Primus VoIP gateway… it would create some pretty bad problems with MSN messenger on my Windows PC.

I used to leave the computer plugged in via ethernet, then ran a USB cable directly to the cable modem (it allows you to connect via USB for one computer). It was a bit of a kludge, but I’d just shut off one net connection and turn on another when I needed to voice chat.

The newer versions of MSN seem to be ok, though, so I’ve left them as-is.

Dave, I really think port forwarding on your existing router is the solution here. You should be able to set up a range of ports on the router interface and forward them onto your IP. This process would be made easier still (and no less secure) if you gave yourself a static IP address and you only need to set this up once. How bad can the UI be?!

Hello Dave, I’m afraid I can’t help you to a greater extent than the comments above - but I’m just curious - how fast is your connection speed; up/down?

USA namely always said to be on the forefront of technology, but it seems like almost all other coutries (except Hong Kong where a 100 mbit symmetric connection is standard), have consistently low connection speeds…

I have Vonyage and love it alot have not tryed Skype but I hear everyone raving about that service so I might give it a try to see. Would be interesting to see an unbias side by side report on all the services out there.

People pointing to Port Triggering are correct, also, if your router supports it, look into IP address reservation so every time you hook a device, the router will always assign the same internal IP address to such device.

For instance: I have my Desktop with a 192.168.1.2 reserved address, my laptop with a 192.168.1.3, and my Vonage phone adapter - which sadly I recently cancelled for Budgeting reasons - at the 192.168.1.5 IP Address.

The Address reservation, combined with the ‘Access List’ allowed to join my WiFi network, gives me a more security (or a sense of) since the router verifies the MAC Address of the device, before allowing it to join the network and assigning a dynamic IP Address.

Also, If you use Vonage, they can provide the TCP ports range you should open for port-forwarding so they always point to your phone adapter. Hopefully: by forwarding that specific range, it doesn’t interfere with your other TCP/UDP services.

I had Vonage for a few months but was not satisfied with the sound quality. When I called to cancel the services, I was charged an additional $50 service charge for cancelling short of 12 months (despite their “no contract” claims). I think this is a pretty shoddy way to treat any customer and have taken every opportunity to let people know.

After that, I used MSN for online chatting using a webcam and mike. Generally, it seems OK though it has most of the same sound quality issues as Vonage.

A few days ago a friend persuaded me to try Skype. I resisted for a long time because I believed the “weak link” was the fact that sound is travelling over IP and that Skype was just another front end. Actually, I find the sound quality is noticeably better than MSN. The fact that Skype In and Skype Out offer an interface to tradional phone systems makes it a serious competitor to Vonage, I’d say, and at a lot less cost.

Search this site:

About This Entry:

You are reading “VOIP Disconnect”, an entry posted on 29 March, 2006, to the Wall Centre Blossoms collection. See other posts in this collection.